SANS ISC InfoSec Forums

There is a huge amount of information shared online by attackers. Once again, pastebin.com is a nice place to start hunting. As this material is available for free, why not use it for the good? Attackers (with or without bots) are constantly looking for entry points on websites. Those entry points are a good place to search, for example, for SQL injections. Example:

add_to_cart.php?item=

As attackers are also hunting for new targets, they have automated tools or bots that scan the Internet for potential new victims. To do this, they use search engines and search for specific strings called "dorks". This term is coming from "Google Hacking Database Project"[1]. This is an old project but attackers are still creating lists of interesting URIs and it's quite easy to find them. Here is an example of pastie with a big list of dorks:

https://pastebin.com/ABZ8Z8zy
https://pastebin.com/Tdvi8vgK

Why not reuse this free "bad" material to perform hunting in your own website's logs and have a head start on attackers? The benefits are multiple: you will probably detect suspicious pages that should not be publicly available and you'll be able to detect if people are already scanning your infrastructure.

With Splunk, create a CSV file containing all the interesting dorks and use a query like the following one to search for them across all your Apache logs: